Your pkcs12 file must include the CA certificate. Your NSS db doesn't show any CA. I assume your Java export was incomplete
Sent from my iPhone > On Aug 18, 2016, at 8:02 AM, Sowmini Varadhan <[email protected]> > wrote: > > > Hi, > > I am trying to export (as a pkcs12 file) a keypair generated by > java/keytool into NSS and use this for ipsec. I am following > similar instructions for openssl documented in the libreswan wiki. > > I'm able to get the tunnels to load, but IKE auth does not converge: > tcpdump reports (n: doi=ipsec proto=isakmp type=AUTHENTICATION-FAILED) > > I suspect this may be because I am missing something in > /etc/ipsec.d/ipsec.secrets, I could use some hints about what I may > be doing incorrectly. > > Here's what I am doing: > > With keytool generate a pkcs certificate on the right-node. > e.g., > right# keytool -exportcert -keystore java/my.pkcs12 \ > -storetype pkcs12 \ > -validity 720 -v -alias BDS \ > -genkeypair -keyalg RSA -storepass $passwd -keypass $passwd > > Now import this with ipsec: > right# ipsec import java/my.pkcs12 > > Check that it is there: > right# certutil -L -d sql:/etc/ipsec.d > > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > > bds u,u,u > > Modify the right-node config file for this tunnel: > > right# grep right /etc/ipsec.d/eth4.conf > rightid="CN=bds" > right=14.0.0.70 > rightcert=bds > rightrsasigkey=%cert > > On the left node, import the public key. First export it on the right node: > > right# certutil -L -n "bds" -d sql:/etc/ipsec.d/ -a > right.crt > > Copy right.crt over to the left node, then > left# certutil -A -i right.crt -n "bds" -t "C,C,C" -d /etc/ipsec.d > > Left will report it as: > > left# certutil -L -d /etc/ipsec.d > > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > > bds C,C,C > > Add the info the ipsec.d/*.conf: > left# grep right /etc/ipsec.d/eth4.conf > right=14.0.0.70 > rightid="CN=bds" > rightrsasigkey=%cert > > Now restarting ipsec loads tunnels but ike does not complete the > auth phase. Is something missing in some other /etc/ipsec.d config > file to tell it to go look in sql:/etc/ipsec.d? > > Thanks in advance for hints, > > --Sowmini > > _______________________________________________ > Swan mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
